[PATCH v2 0/2] mptcp: pm: fix extra_subflows underflow for userspace PM

[PATCH v2 0/2] mptcp: pm: fix extra_subflows underflow for userspace PM

[Tao Cui]

This is v2 of the series that fixes extra_subflows u8 underflow bugs
in the MPTCP userspace path manager.

extra_subflows is a u8 field in struct mptcp_pm_data. Two code paths
in the userspace PM can cause it to underflow from 0 to 255, after
which the counter is permanently corrupted and future subflow
creation is blocked.

Patch 1 skips the spurious mptcp_pm_close_subflow() call in
__mptcp_subflow_connect() when the userspace PM is in use, since it
does not pre-increment extra_subflows before attempting subflow
creation.

Patch 2 adds an underflow guard in mptcp_pm_subflow_check_next() to
avoid decrementing extra_subflows when it is already zero.

Tao Cui (2):
  mptcp: pm: fix extra_subflows underflow on userspace PM connect
    failure
  mptcp: pm: add extra_subflows underflow guard for userspace PM

 net/mptcp/pm.c      | 3 ++-
 net/mptcp/subflow.c | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

---
Changes in v2:
  - Dropped the use-after-free fix.
  - Split the underflow fix into two patches, one per code path.
v1:
  https://lore.kernel.org/all/20260509075629.217791-2-cuitao@kylinos.cn/
--
2.43.0

[PATCH v2 1/2] mptcp: pm: fix extra_subflows underflow on userspace PM connect failure

[Tao Cui]

__mptcp_subflow_connect() calls mptcp_pm_close_subflow() on failure
to roll back the pre-increment done by kernel PM's fill_*() helpers.
The userspace PM does not pre-increment — it only increments after
__mptcp_subflow_connect() succeeds — so this decrement is spurious.

Fix it by gating mptcp_pm_close_subflow() on the PM type.

Signed-off-by: Tao Cui <cuitao@kylinos.cn>
---
 net/mptcp/subflow.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index d562e149606f..c45ad67cb650 100644
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -1716,7 +1716,8 @@ int __mptcp_subflow_connect(struct sock *sk, const struct mptcp_pm_local *local,
 	/* we account subflows before the creation, and this failures will not
 	 * be caught by sk_state_change()
 	 */
-	mptcp_pm_close_subflow(msk);
+	if (!mptcp_pm_is_userspace(msk))
+		mptcp_pm_close_subflow(msk);
 	return err;
 }
 
-- 
2.43.0

[PATCH v2 2/2] mptcp: pm: add extra_subflows underflow guard for userspace PM

[Tao Cui]

mptcp_pm_subflow_check_next() decrements extra_subflows unconditionally
for the userspace PM without checking that the counter is non-zero.
Since extra_subflows is a u8, an underflow from 0 to 255 permanently
corrupts the counter and blocks future subflow creation.

Add an underflow guard to prevent this.

Signed-off-by: Tao Cui <cuitao@kylinos.cn>
---
 net/mptcp/pm.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/mptcp/pm.c b/net/mptcp/pm.c
index 3c152bf66cd5..a83a56b467f9 100644
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -655,7 +655,8 @@ void mptcp_pm_subflow_check_next(struct mptcp_sock *msk,
 	if (mptcp_pm_is_userspace(msk)) {
 		if (update_subflows) {
 			spin_lock_bh(&pm->lock);
-			pm->extra_subflows--;
+			if (pm->extra_subflows)
+				pm->extra_subflows--;
 			spin_unlock_bh(&pm->lock);
 		}
 		return;
-- 
2.43.0

Re: [PATCH v2 0/2] mptcp: pm: fix extra_subflows underflow for userspace PM

[Tao Cui]

Sorry, I missed adding --subject-prefix="PATCH mptcp-next" when running git format-patch.

在 2026/5/14 17:50, Tao Cui 写道:
> This is v2 of the series that fixes extra_subflows u8 underflow bugs
> in the MPTCP userspace path manager.
> 
> extra_subflows is a u8 field in struct mptcp_pm_data. Two code paths
> in the userspace PM can cause it to underflow from 0 to 255, after
> which the counter is permanently corrupted and future subflow
> creation is blocked.
> 
> Patch 1 skips the spurious mptcp_pm_close_subflow() call in
> __mptcp_subflow_connect() when the userspace PM is in use, since it
> does not pre-increment extra_subflows before attempting subflow
> creation.
> 
> Patch 2 adds an underflow guard in mptcp_pm_subflow_check_next() to
> avoid decrementing extra_subflows when it is already zero.
> 
> Tao Cui (2):
>   mptcp: pm: fix extra_subflows underflow on userspace PM connect
>     failure
>   mptcp: pm: add extra_subflows underflow guard for userspace PM
> 
>  net/mptcp/pm.c      | 3 ++-
>  net/mptcp/subflow.c | 3 ++-
>  2 files changed, 4 insertions(+), 2 deletions(-)
> 
> ---
> Changes in v2:
>   - Dropped the use-after-free fix.
>   - Split the underflow fix into two patches, one per code path.
> v1:
>   https://lore.kernel.org/all/20260509075629.217791-2-cuitao@kylinos.cn/
> --
> 2.43.0

Re: [PATCH v2 0/2] mptcp: pm: fix extra_subflows underflow for userspace PM

[Tao Cui]

Sorry everyone, please ignore this v2 patch submission.
I missed the review note from Sashiko when preparing this update:

  " sashiko adds some comments here, please address them in v2:
    https://sashiko.dev/#/patchset/20260509075629.217791-2-cuitao@kylinos.cn "

Besides, the race condition scenario pointed out by Sashiko also needs to be handled.
I will send out the v3 patch later to fix all these issues.

在 2026/5/14 18:00, Tao Cui 写道:
> 
> Sorry, I missed adding --subject-prefix="PATCH mptcp-next" when running git format-patch.
> 
> 在 2026/5/14 17:50, Tao Cui 写道:
>> This is v2 of the series that fixes extra_subflows u8 underflow bugs
>> in the MPTCP userspace path manager.
>>
>> extra_subflows is a u8 field in struct mptcp_pm_data. Two code paths
>> in the userspace PM can cause it to underflow from 0 to 255, after
>> which the counter is permanently corrupted and future subflow
>> creation is blocked.
>>
>> Patch 1 skips the spurious mptcp_pm_close_subflow() call in
>> __mptcp_subflow_connect() when the userspace PM is in use, since it
>> does not pre-increment extra_subflows before attempting subflow
>> creation.
>>
>> Patch 2 adds an underflow guard in mptcp_pm_subflow_check_next() to
>> avoid decrementing extra_subflows when it is already zero.
>>
>> Tao Cui (2):
>>   mptcp: pm: fix extra_subflows underflow on userspace PM connect
>>     failure
>>   mptcp: pm: add extra_subflows underflow guard for userspace PM
>>
>>  net/mptcp/pm.c      | 3 ++-
>>  net/mptcp/subflow.c | 3 ++-
>>  2 files changed, 4 insertions(+), 2 deletions(-)
>>
>> ---
>> Changes in v2:
>>   - Dropped the use-after-free fix.
>>   - Split the underflow fix into two patches, one per code path.
>> v1:
>>   https://lore.kernel.org/all/20260509075629.217791-2-cuitao@kylinos.cn/
>> --
>> 2.43.0

Re: [PATCH v2 0/2] mptcp: pm: fix extra_subflows underflow for userspace PM

[MPTCP CI]

Hi Tao,

Thank you for your modifications, that's great!

Our CI did some validations and here is its report:

- KVM Validation: normal (except selftest_mptcp_join): Success! ✅
- KVM Validation: normal (only selftest_mptcp_join): Success! ✅
- KVM Validation: debug (except selftest_mptcp_join): Success! ✅
- KVM Validation: debug (only selftest_mptcp_join): Success! ✅
- KVM Validation: btf-normal (only bpftest_all): Success! ✅
- KVM Validation: btf-debug (only bpftest_all): Success! ✅
- Task: https://github.com/multipath-tcp/mptcp_net-next/actions/runs/25854223893

Initiator: Patchew Applier
Commits: https://github.com/multipath-tcp/mptcp_net-next/commits/34573f7001fb
Patchwork: https://patchwork.kernel.org/project/mptcp/list/?series=1094704


If there are some issues, you can reproduce them using the same environment as
the one used by the CI thanks to a docker image, e.g.:

    $ cd [kernel source code]
    $ docker run -v "${PWD}:${PWD}:rw" -w "${PWD}" --privileged --rm -it \
        --pull always mptcp/mptcp-upstream-virtme-docker:latest \
        auto-normal

For more details:

    https://github.com/multipath-tcp/mptcp-upstream-virtme-docker


Please note that despite all the efforts that have been already done to have a
stable tests suite when executed on a public CI like here, it is possible some
reported issues are not due to your modifications. Still, do not hesitate to
help us improve that ;-)

Cheers,
MPTCP GH Action bot
Bot operated by Matthieu Baerts (NGI0 Core)